One of the biggest challenges in OT (Operation Technology) system is the technology obsolescence. Here, we are not talking about the machinery part but the controller part.
A typical machine (or plant) have 2 major portions: machinery (e.g. motor, valve) and C&I. Nowadays the traditional C&I are replaced by commodity hardware/software because they are readily available from the market.
The pain point exists. Technology product lifecycle is shorter than the machinery. Most often, those micro-processor controller enters into end of support state because the OEM of the embedded OS platform, applications will not fix any public known vulnerabilities as they do have support policy to entertain only the latest few versions.
From system reliability perspective, support is important but from cyber security perspective, end of support is not the end of the world. As long as the “system” is still running, there is no means to upgrade because of the fear of hypothetical cyber attack.
The plant room in the illustration shall host those microprocessor controlled mechanical parts. Whether technology obsolescence will affect the lift operation or wear-and-tear of the mechanical parts does? You know the answer.
Therefore, as a good cybersecurity practitioner, do not put impractical policy statement because policy non-compliance will drive business units blindly to follow by spending unnecessary resources.